The premint function in the Infiltration.sol contract lacks necessary checks for MAX_MINT_PER_ADDRESS, potentially violating the minting limitations established for fair gameplay. Additionally, the function can be invoked at any time before the game starts, which is inconsistent with the intended functionality as documented.
Vulnerability Detail
The premint function does not enforce the MAX_MINT_PER_ADDRESS limit which exists in the regular mint function. This oversight allows for an unlimited amount of tokens to be preminted for an address, which can break the game's fairness as the invariant of MAX_MINT_PER_ADDRESS is not respected. Furthermore, the function lacks a timestamp check to ensure it is called only after the minting period ends, thus allowing premature execution that can disrupt the game start.
Impact
If exploited, this vulnerability could lead to an unfair advantage for certain players who could bypass the minting limitations, undermining the integrity of the game's economy and the trust of the player base. This may also have financial repercussions if the game involves trading or value associated with the minted items.
/*
* @inheritdoc IInfiltration
* @notice As long as the game has not started (after mint end), the owner can still mint.
*/
function premint(address to, uint256 quantity) external payable onlyOwner {
if (quantity * PRICE != msg.value) {
revert InsufficientNativeTokensSupplied();
}
if (totalSupply() + quantity > MAX_SUPPLY) {
revert ExceededTotalSupply();
}
if (gameInfo.currentRoundId != 0) {
revert GameAlreadyBegun();
}
_mintERC2309(to, quantity);
}
It is recommended to add a check within the premint function to enforce the MAX_MINT_PER_ADDRESS limit. This check should mimic the one present in the mint function to maintain consistency and ensure fairness. Moreover, a timestamp condition should be introduced to confirm that premint can only be called after mintEnd. Implementing these checks will align the function's behavior with its intended use as specified in the documentation.
0xWSeeC
high
MAX_MINT_PER_ADDRESSinvariant can be brokeSummary
The
premintfunction in the Infiltration.sol contract lacks necessary checks forMAX_MINT_PER_ADDRESS, potentially violating the minting limitations established for fair gameplay. Additionally, the function can be invoked at any time before the game starts, which is inconsistent with the intended functionality as documented.Vulnerability Detail
The
premintfunction does not enforce theMAX_MINT_PER_ADDRESSlimit which exists in the regularmintfunction. This oversight allows for an unlimited amount of tokens to be preminted for an address, which can break the game's fairness as the invariant ofMAX_MINT_PER_ADDRESSis not respected. Furthermore, the function lacks a timestamp check to ensure it is called only after the minting period ends, thus allowing premature execution that can disrupt the game start.Impact
If exploited, this vulnerability could lead to an unfair advantage for certain players who could bypass the minting limitations, undermining the integrity of the game's economy and the trust of the player base. This may also have financial repercussions if the game involves trading or value associated with the minted items.
Code Snippet
https://github.com/sherlock-audit/2023-10-looksrare/blob/881e75651d6592892f10a99f57d2862cf0df65f5/contracts-infiltration/contracts/Infiltration.sol#L445-L463
https://github.com/sherlock-audit/2023-10-looksrare/blob/881e75651d6592892f10a99f57d2862cf0df65f5/contracts-infiltration/contracts/Infiltration.sol#L465-L492
Tool used
Manual Review
Recommendation
It is recommended to add a check within the
premintfunction to enforce theMAX_MINT_PER_ADDRESSlimit. This check should mimic the one present in themintfunction to maintain consistency and ensure fairness. Moreover, a timestamp condition should be introduced to confirm thatpremintcan only be called aftermintEnd. Implementing these checks will align the function's behavior with its intended use as specified in the documentation.Duplicate of #24